v0.0.31

What's Changed

• Bypassing Unsafe Globals Check with Subclass Imports in #50 reported by @davcohen GHSA-f7qq-56ww-84cr
• Bypass via bad CRC in archive in #50 reported by @davcohen GHSA-mjqp-26hc-grxg
• Bypass via File Extension Mismatch in #50 reported by @davcohen GHSA-jgw4-cr84-mqxg

Full Changelog: v0.0.30...v0.0.31

v0.0.30

What's Changed

• Missing detection when calling pytorch function torch.utils.bottleneck.main.run_autograd_prof in #49 reported by @FredericDT GHSA-4whj-rm5r-c2v8
• Missing detection when calling built-in python ensurepip._run_pip in #49 reported by @FredericDT GHSA-xp4f-hrf8-rxw7
• Missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label in #49 reported by @FredericDT GHSA-p9w7-82w4-7q8m
• Missing detection when calling built-in python idlelib.run.Executive.runcode in #49 reported by @FredericDT GHSA-m869-42cg-3xwr
• Missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand in #49 reported by @FredericDT GHSA-j343-8v2j-ff7w
• Missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode in #49 reported by @FredericDT GHSA-3gf5-cxq9-w223
• Missing detection when calling built-in python doctest.debug_script in #49 reported by @FredericDT GHSA-fqq6-7vqf-w3fg
• Missing detection when calling built-in python cProfile.runctx in #49 reported by @FredericDT GHSA-9w88-8rmg-7g2p
• Missing detection when calling built-in python cProfile.run in #49 reported by @FredericDT GHSA-49gj-c84q-6qm9
• Missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start in #49 reported by @FredericDT GHSA-q77w-mwjj-7mqx

Full Changelog: v0.0.29...v0.0.30

v0.0.29

What's Changed

• Missing detection when calling built-in python trace.Trace.run in #48 reported by @FredericDT GHSA-5qwp-399c-mjwf
• Missing detection when calling built-in python trace.Trace.runctx in #48 reported by @FredericDT GHSA-g344-hcph-8vgg
• Missing detection when calling built-in python profile.Profile.run in #48 reported by @FredericDT GHSA-x696-vm39-cp64
• Missing detection when calling built-in python profile.Profile.runctx in #48 reported by @FredericDT GHSA-6vqj-c2q5-j97w
• Missing detection when calling built-in python lib2to3.pgen2.grammar.Grammar.loads in #48 reported by @FredericDT GHSA-f54q-57x4-jg88
• Missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem in #48 reported by @FredericDT GHSA-3vg9-h568-4w9m
• Missing detection when calling built-in python idlelib.autocomplete.AutoComplete.get_entity in #48 reported by @FredericDT GHSA-6w4w-5w54-rjvr
• Missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions in #48 reported by @FredericDT GHSA-7cq8-mj8x-j263
• Missing detection when calling built-in python code.InteractiveInterpreter in #48 reported by @FredericDT GHSA-cj3c-v495-4xqh
• Missing detection when calling built-in python idlelib.calltip.Calltip in #48 reported by @FredericDT GHSA-8r4j-24qv-fmq9
• Missing detection when calling built-in python library idlelib.calltip.get_entity in #48 reported by @FredericDT GHSA-9xph-j2h6-g47v

Full Changelog: v0.0.28...v0.0.29

v0.0.28

What's Changed

• Missing detection when calling pytorch function torch.utils.bottleneck.main.run_cprofile in #47 reported by @FredericDT GHSA-4r9r-ch6f-vxmx
• Missing detection when calling pytorch function torch._dynamo.guards.GuardBuilder.get in #47 reported by @FredericDT GHSA-86cj-95qr-2p4f
• Missing detection when calling pytorch function torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression in #47 reported by @FredericDT GHSA-f4x7-rfwp-v3xw
• Missing detection when calling pytorch function torch.utils.collect_env.run in #47 reported by @FredericDT GHSA-f745-w6jp-hpxx
• Missing detection when calling pytorch function torch.utils.data.datapipes.utils.decoder.basichandlers in #47 reported by @FredericDT GHSA-h3qp-7fh3-f8h4
• Missing detection when calling pytorch function torch.jit.unsupported_tensor_ops.execWrapper in #47 reported by @FredericDT GHSA-vr7h-p6mm-wpmh
• Missing detection when calling pytorch function torch.utils._config_module.load_config in #47 reported by @FredericDT GHSA-vv6j-3g6g-2pvj

Full Changelog: v0.0.27...v0.0.28

v0.0.27

What's Changed

• Pickle parsing logic flaw leads to malicious pickle file bypass in #46 reported by @Lyutoon GHSA-9gvj-pp9x-gcfr

Full Changelog: v0.0.26...v0.0.27

v0.0.26

What's Changed

• Fix pypi image link by @mmaitre314 in #41

Full Changelog: v0.0.25...v0.0.26

v0.0.25

What's Changed

• Exfiltration via DNS via linecache and ssl.get_server_certificate in #40 reported by @david3107 GHSA-93mv-x874-956g
• Missing detection when calling built-in python library function timeit.timeit() in #40 reported by @SeaW1nd GHSA-v7x6-rv5q-mhwc
• Picklescan failed to detect to some unsafe global function in Numpy library in #40 reported by @SeaW1nd GHSA-fj43-3qmq-673f
• commands module missing in unsafe globals in #40 reported by @madgetr

Full Changelog: v0.0.24...v0.0.25

v0.0.24

What's Changed

• Degrade gracefully when scanning password-protected zip files by @mmaitre314 in #39

Full Changelog: v0.0.23...v0.0.24

v0.0.23

What's Changed

• Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch by @madgetr in e58e45e GHSA-w8jq-xcqf-f792
• Zip Exploit Crashes Picklescan But Not PyTorch by @madgetr in e58e45e GHSA-7q5r-7gvp-wc82

Full Changelog: v0.0.22...v0.0.23

v0.0.22

What's Changed

• Picklescan fails to detect unsafe globals in PyTorch models with non-standard Pickle file extensions by @madgetr in baf03fa GHSA-769v-p64c-89pr
• Picklescan fails to detect some unsafe globals by @madgetr in 93764d6 GHSA-655q-fx9r-782v

Full Changelog: v0.0.21...v0.0.22